Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

I had a BHO infection after being hijacked by a fake Shareaza site several months ago. Ad-Aware removed the infection, but each time I have restarted the machine the directory SHAREA~1/Mediabar/Datamngr appears in my Program Files(x86) folder. I deleted it and shredded the recycle bin, but the next time I restart, it appears again. The directory is empty, but I would like to prevent it from reappearing each time I restart the machine. I am running Windows 7 Pro 64-bit, with AVG, Ad-Aware, IObit Advanced System Care, SpywareBlaster, and Spybot S & D. None of these tools have been able to remove whatever is causing the problem. Please help!

Hi StephenClark,Shareaza is undoubtedly responsible for infections on your machine.You have a few things to do here. Just take one item at a time.-----------------------------------------------Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programsIt is posted here: http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394As a condition of receiving our help, I have included the P2P program Shareaza in the removal instructions below, so we are not wasting our time.If you have used this, and your computer is infected, you can be fairly confident this is a principal reason.It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Frostwire, Vuze, Shareaza, Bitlord.(Limewire has been shut down by the courts).Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Virtually all of these recent infections will compromise your Security, and some can turn your machine into a useless "doorstop".-----------------------------------------------------------Remove Registry items with HijackThis. Start HijackThis. (Right-click and "Run as administrator" in Vista/Win7)Click Do System Scan Only. When the Scan is complete, Check the following entries:(Some of these lines may be missing)F2 - REG:system.ini: UserInit=userinit.exeO2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files (x86)\Shareaza\RazaWebHook32.dllO3 - Toolbar: MediaBar - {d48c9ead-f59f-4dea-ac97-7065fea79f42} - (no file)O4 - HKLM\..\Run: [IObit Malware Fighter] "C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe" /autostartO4 - HKCU\..\Run: [Advanced SystemCare 4] C:\Program Files (x86)\IObit\Advanced SystemCare 4\ASCTray.exeO8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files (x86)\Shareaza\RazaWebHook64.dll/3000O15 - Trusted Zone: http://my.ebay.comO20 - AppInit_DLLs: C:\PROGRA~2\SHAREA~1\MediaBar\Datamngr\datamngr.dll C:\PROGRA~2\SHAREA~1\MediaBar\Datamngr\IEBHO.dllO20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - C:\Program Files (x86)\IObit\Advanced SystemCare 4\ASCService.exeO23 - Service: IMF Service (IMFservice) - IObit - C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix CheckedClick the "X" in the upper right corner of the HiJackThis window to close it.------------------------------------------------Remove Programs Using Control PanelFrom Start, Control Panel, click on Uninstall a program under the Programs heading.Right click each Entry, as follows, one by one, if it exists, choose Uninstall/Change, and give permission to Continue:Ad-AwareIObit Malware FighterJava(TM) 6 Update 27Shareaza 2.5.5.0Smart Defrag 2SpywareBlaster 4.4

Take extra care in answering questions posed by any Uninstaller.-----------------------------------------------------------REBOOT (RESTART) Your Machine---------------------------------------------Download the OTL ScannerPlease download OTL.exe by OldTimer and save it to your desktop.---------------------------------------------Run a Scan with OTL

Right click the icon and choose "Run as administrator" to run it.

Check the box at the top, labeledInclude 64 bit scans

Check the boxes labeled :

Scan All Users

LOP check

Purity check

Extra Registry > Use SafeList

Make sure all other windows are closed to let it run uninterrupted.

Click on the Run Scan button at the top left hand corner. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. (desktop)The Extras.txt file will only appear the very first time you run OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them as a reply. Use separate replies if more convenient.

Thank you for your helpful reply. I followed your instructions to the letter, with the following exception: there was no "O8 - Extra context menu item: Download with &Shareaza - res://C:\Program Files (x86)\Shareaza\RazaWebHook64.dll/3000" in the list this time. I carefully checked all the others that you recommended. I deleted all the programs that you listed, and the Shareaza Program Folder, and SHAREA~1/Mediabar/datamngr. When I rebooted, SHAREA~1/Mediabar/datamngr appeared again in Program Files (x86), as it has been doing. Here are the OTL logs:

If you click on Start, Computer, right click on an empty space and choose Properties, what exactly does it report as the Windows Edition?If you have anything you have locked using IOBit Unlocker, please Unlock all of it before proceeding.------------------------------------------------Remove Programs Using Control PanelFrom Start, Control Panel, click on Uninstall a program under the Programs heading.Right click each Entry, as follows, one by one, if it exists, choose Uninstall/Change, and give permission to Continue:Advanced SystemCare 4IObit UnlockerMediaBarJava(TM) 6 Update 26 (64-bit)

Take extra care in answering questions posed by any Uninstaller.----------------------------------------------Perform a Custom Fix with OTLRun OTL (Right click and choose "Run as administrator" in Vista/Win7)

In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):

For your information, I have restarted the machine several times before I received your latest reply above, and SHAREA~1/Mediabar/datamngr has not reappeared in Program Files (x86) again. The only other thing I did was disable the Port Forwarding in my router for port 6346, which Shareaza requires.

However on my wife's machine, which is on the same router, it is still reappearing after deletion and restart. I went ahead and ran SystemLook on my machine, and here is the log:

SystemLook 30.07.11 by jpshortstuffLog created at 22:28 on 22/09/2011 by Stephen ClarkAdministrator - Elevation successful

Yes, I understand! I got tired of reading it myself. I am surprised that Shareaza left so many tracks.

Just for some background information, the original infection was iebho.dll, as indentifed by Ad-Aware, and it originated from a fake Shareaza site that offered an install file for a "new" version of Shareaza. I used this install file on both machines when I upgraded to Windows 7 x64 from Windows XP several months ago. The BHO screwed up Firefox searches and Explorer searches, and I suspect was sending keystrokes somewhere. Ad-Aware was able to remove the BHO itself and a few other files, and I was able to clean up Firefox and IE, but this niggling little directory I have not been able to get rid of. If we can discover how to do it, then I need to clean my wife's machine as well. Sometimes on Windows start on her machine, iebho.dll will try to execute, but Win 7 gives an error message about it being in the wrong format, or a corrupt file, and to reinstall the program or contact the vendor. This has been very annoying, and I am concerned that it may be doing other things that I am not aware of. I really do appreciate your determination to help me!

Click the Look button to start the scan.Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.(Takes about 4 minutes on my XP net book)

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt----------------------------------------------Perform a Custom Fix with OTLRight click the OTL icon and choose "Run as administrator"

In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):Please make sure it's all there in the Custom Scans box when you get through.

StephenClark,One or two final things.First we can get rid of the last reference to IEBHO. ----------------------------------------------Perform a Custom Fix with OTLRun OTL (Right click and choose "Run as administrator" in Vista/Win7)

In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):

----------------------------------------------Now about AVG:I would not recommend this antivirus, because it installs its "LinkScanner" toolbar.That is really nothing but a paid toolbar from ask.com, which will give you its own self serving advice, and maybe some redirects.Calling this a security tool is make-believe.AVG has been widely derided for this. Avira now does the same thing. Ask.com pays them well so they don't seem to mind any ethical complications.

I don't need to tell you to stay away from P2P programs, I trust.Most Forums will not be gracious if it's apparent that a second malware removal visit is required because of P2P.Also please avoid registry cleaners, boosters, optimizers, etc. They are very risky and don't do any good.

OK, thanks for your advice, and the info about AVG. Can we try to clean my wife's machine now? It is identical to mine in hardware and operating system, and has all the same software. Or, do I need to post a new thread about her machine? Thanks so much for your help, and I will take your advice to heart.

We like to keep a separate topic for each machine, because these logs are used for teaching, so please start a new topic.She can post the two logs directly from OTL first, without using DDS.Mention Shareaza and link to this topic in the first post.

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.